Re: Question on resources needed to manage IDSes

["Andy Cuff [Talisker]" <lists () securitywizardry com>]

Hi Ken,
I'd suggest that there is no metric to define resources required to manage
an IDS.  It depends on many factors not least of which are

Type of IDS
Signature policy, do you watch for everything or just intrusions
Is there an event correlation and/or severity reduction tool
Size of network monitored
How well behaved is the user community or is it a University :o(
    Do you have a big stick to beat them when they're naughty (it makes a
difference)
How secure are the underlying hosts that you're watching
Is the IDS internal or external
Type of IDS (have I said that)
Are you filtering at the border router.
Are you watching 24/7
How many resources can you throw at false positive reduction

Also look at sys admins to support/deploy/update the sensors and a DBA to
look after the databases - especially important for certain IDS

Who writes the signatures and what about research and development

Who responds to the alerts, with so many sensors it would be sensible to
have an elevation mechanism where the front line triage can pass the more
serious / harder to resolve alerts

Bottom Line "suck it and see" start small and build up, build up gradually
making sure you don't bite off more than you can chew, catching up is far
more difficult than keeping up.

I hope this helps, sorry if you feel my comments are in anyway negative but
I'm older than my years because I didn't consider the above

take care
-andy
Talisker Security Tools Directory
http://www.securitywizardry.com
----- Original Message ----- 
From: <kgeorgiades () toplayer com>
To: <focus-ids () securityfocus com>
Sent: Monday, December 01, 2003 3:16 PM
Subject: Question on resources needed to manage IDSes


> Everyone seems to be talking about the large volume of alarms and logs
> produced by IDSes.
> Managing IDSes and dealing with false alarms seems to be an issue that all
> IDS vendor are trying to address.
>
> Has any one of you seen any data on how many analysts (resources) are
needed
> to manage IDSes in enterprises?
>
> I am looking for a rule of thumb, something like this:
> 1-5 IDS sensors - 1 Analyst
> 5-15 IDS sensors -2 Analysts
> 15-50 IDS sensors- 3 Analysts
> 1 Analyst for every 30 additional IDS sensors.
>
> I will appreciate any feedback that I can get.
>
> Thanks,
>
> Kyriacos (Ken) Georgiades
> Senior Director, Product Line Management
> Top Layer Networks, Inc
> Tel: 508 870 1300 x 231
> Cell: 508 783 5988
> Fax: 508 870 9797
> Email: kgeorgiades () toplayer com
> www.toplayer.com
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
-
>


---------------------------------------------------------------------------
---------------------------------------------------------------------------